In the Linux kernel, the following vulnerability has been resolved:
mm/mempolicy: do not allow illegal MPOLFNUMABALANCING | MPOLLOCAL in mbind()
syzbot reported access to unitialized memory in mbind() [1]
Issue came with commit bda420b98505 ("numa balancing: migrate on fault among multiple bound nodes")
This commit added a new bit in MPOLMODEFLAGS, but only checked valid combination (MPOLFNUMABALANCING can only be used with MPOLBIND) in dosetmempolicy()
This patch moves the check in sanitizempolflags() so that it is also used by mbind()
[1] BUG: KMSAN: uninit-value in _mpolequal+0x567/0x590 mm/mempolicy.c:2260 _mpolequal+0x567/0x590 mm/mempolicy.c:2260 mpolequal include/linux/mempolicy.h:105 [inline] vmamerge+0x4a1/0x1e60 mm/mmap.c:1190 mbindrange+0xcc8/0x1e80 mm/mempolicy.c:811 dombind+0xf42/0x15f0 mm/mempolicy.c:1333 kernelmbind mm/mempolicy.c:1483 [inline] _dosysmbind mm/mempolicy.c:1490 [inline] _sesysmbind+0x437/0xb80 mm/mempolicy.c:1486 _x64sysmbind+0x19d/0x200 mm/mempolicy.c:1486 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae
Uninit was created at: slaballocnode mm/slub.c:3221 [inline] slaballoc mm/slub.c:3230 [inline] kmemcachealloc+0x751/0xff0 mm/slub.c:3235 mpolnew mm/mempolicy.c:293 [inline] dombind+0x912/0x15f0 mm/mempolicy.c:1289 kernelmbind mm/mempolicy.c:1483 [inline] _dosysmbind mm/mempolicy.c:1490 [inline] _sesysmbind+0x437/0xb80 mm/mempolicy.c:1486 _x64sysmbind+0x19d/0x200 mm/mempolicy.c:1486 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae ===================================================== Kernel panic - not syncing: paniconkmsan set ... CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G B 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x1ff/0x28e lib/dumpstack.c:106 dumpstack+0x25/0x28 lib/dumpstack.c:113 panic+0x44f/0xdeb kernel/panic.c:232 kmsanreport+0x2ee/0x300 mm/kmsan/report.c:186 _msanwarning+0xd7/0x150 mm/kmsan/instrumentation.c:208 _mpolequal+0x567/0x590 mm/mempolicy.c:2260 mpolequal include/linux/mempolicy.h:105 [inline] vmamerge+0x4a1/0x1e60 mm/mmap.c:1190 mbindrange+0xcc8/0x1e80 mm/mempolicy.c:811 dombind+0xf42/0x15f0 mm/mempolicy.c:1333 kernelmbind mm/mempolicy.c:1483 [inline] _dosysmbind mm/mempolicy.c:1490 [inline] _sesysmbind+0x437/0xb80 mm/mempolicy.c:1486 _x64sysmbind+0x19d/0x200 mm/mempolicy.c:1486 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae